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The purpose of this paper is to provide clarification to educators regarding the privacy of 
records and information related to the requirements of the Health Insurance Portability 
and Accountability Act (HIPAA) of 1996. This paper was originally distributed in 2003 
and has been updated with resources and web page links. Additional resources and 
websites are provided for the reader to obtain current information regarding the required 
privacy regulations. 

What is HIPAA? 

The Health Insurance Portability and Accountability Act of 1996, known as HIPAA, 
includes important — but limited — protections for millions of working Americans and 
their families around the ability to obtain and keep health coverage. Among its specific 
protections, HIPAA does the following: 

• Limits the use of preexisting condition exclusions. 

• Prohibits group health plans from discriminating by denying you coverage or 
charging you extra for coverage based on your or your family member's past or 
present poor health. 

• Guarantees certain small employers and certain individuals who lose job-related 
coverage the right to purchase health insurance. 

• Guarantees, in most cases, that employers or individuals who purchase health 
insurance can renew the coverage regardless of any health conditions of 
individuals covered under the insurance policy. 

In short, HIPAA may lower the individual’s chance of losing existing coverage, ease the 
ability to switch health plans, and/or help buy coverage if an individual looses an 
employer's plan and has no other coverage available. 

What is the HI PAA Privacy Rule? 

The privacy provisions of the federal law, HIPAA, apply to health information created or 
maintained by health care providers who engage in certain electronic transactions, health 
plans, and health care clearinghouses. The Department of Health and Human Services 
(DHHS) has issued the regulation, "Standards for Privacy of Individually Identifiable 
Health Information," applicable to entities covered by HIPAA. The Office for Civil 
Rights (OCR) is the departmental component responsible for implementing and enforcing 




the privacy regulation. (See the Statement of Delegation of Authority to the Office for 
Civil Rights, as published in the Federal Register on December 28, 2000. 
http://www.hhs.gov/ocr/hipaa/bkgmd.html) 

The DHHS issued the privacy rule to implement the requirement of HIPAA. The privacy 
rule standards address the use and disclosure of individuals’ health information, or 
“protected health information,” by organizations subject to the privacy rule, or “covered 
entities,” as well as standards for individuals’ privacy rights to understand and control 
how their health information is used. Within DHHS, the OCR has the responsibility for 
implementing and enforcing the Privacy Rule with respect to voluntary compliance 
activities and civil money penalties. 

A major goal of the privacy rule is to ensure that individuals’ health information is 
properly protected while allowing the flow of health information needed to provide and 
promote high-quality health care and to protect the public’s health and well being. The 
rule strikes a balance that permits important uses of information while protecting the 
privacy of people who seek care and healing. Given that the health care marketplace is 
diverse, the rule is designed to be flexible and comprehensive to cover the variety of uses 
and disclosures that need to be addressed. (See U.S. DHHS, OCR PRIVACY BRIEF, 
Summary of the HIPAA Privacy Rule, HIPAA Compliance Assistance at 
http : //www. DHHS . go v/ocr/pri vac y summary .pdf) 

What is FERPA and how is it different from HI PAA? 

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects 
the privacy of student education records. The law applies to all schools that receive 
funds under an applicable program of the U.S. Department of Education. 

FERPA gives parents certain rights with respect to their children's education records. 

These rights transfer to the student when he or she reaches the age of 1 8 or attends a 
school beyond the high school level. Students to whom the rights have transferred are 
"eligible students." 

FERPA defines education records as those records that contain information directly related 
to a student that are maintained by an education agency, institution, or person acting for the 
agency or institution, (http://www.ed.gov/policv/gen/guid/fpco/ferpa/index.html) 

Health records are defined through the HIPAA privacy regulation, 45 CRR, § 164.501: 
Protected Health Information means any individually identifiable heath information that 
is 

• Transmitted by electronic media, 

• Maintained in any medium described in the definition of electronic media at 
§162.103 of this subchapter, and 

• Transmitted or maintained in any other form or medium. 



Protected health information excludes individually identifiable health information 
in education records covered by FERPA, as amended, 20 U.S.C. 1232g. 

Must public schools and education agencies comply 
with HIPAA? 

The preamble to the privacy regulation includes the following statement by the DHHS, 
the entity responsible for developing HIPAA Privacy: 

While we strongly believe every individual should have the same level of 
privacy protection for his/her individually identifiable health information, 
Congress did not provide us with authority to disturb the scheme it had 
devised for records maintained by educational institutions and agencies 
under FERPA. We do not believe Congress intended to amend or preempt 
FERPA when it enacted HIPAA. 

The HIPAA final rule explains that records that are subject to FERPA are not subject to 
HIPAA. Additionally, medical records that are exempt from FERPA's definition of 
"education records" under the section 99.3 provision are also exempt from coverage by 
HIPAA. ( Page 82483 of the December 28, 2000, Federal Register HIPAA final rule) 

Who must comply with HI PAA? 

As required by Congress in HIPAA, the Privacy Rule covers the items listed below: 

• Health plans 

• Health care clearinghouses 

• Health care providers who conduct certain financial and administrative 
transactions electronically (These electronic transactions are those for which 
standards have been adopted by the Secretary under HIPAA, such as electronic 
billing and fund transfers.) 

These covered entities are bound by the new privacy standards even if they contract with 
others (called “business associates”) to perform some of their essential functions. The law 
does not give the DHHS the authority to regulate other types of private businesses or 
public agencies through this regulation. For example, DHHS does not have the authority 
to regulate employers, life insurance companies, or public agencies that deliver social 
security or welfare benefits. 

Many of the questions regarding covered entities, disclosures, access, and policies can be 
found at the Question and Answer site located at http://answers.hhs.gov/ . Specific 
questions are answered by clicking on the link to Health Information Privacy Policy sub- 
categories. 



What does the HIPAA Privacy Rule require providers 
to do? 



Covered Entities must protect individually identifiable health information against 
deliberate or inadvertent misuse or disclosure. Consequently, health plans and providers 
must maintain administrative and physical safeguards to protect the confidentiality of 
health information as well as protect against unauthorized access. HIPAA final rules 
explicitly mention the following actions: 

• Adopt written privacy procedures. 

• Train employees about security. 

• Designate a privacy officer. 

• Develop legal agreements that extend privacy protections to third-party business 
associates. 

• Obtain patient consent for most disclosures of protected health information. 

• Provide the minimum amount of information necessary. 

Those that misuse personal health information can be punished. The DHHS Office for 
Civil Rights, which is responsible for implementing the Privacy rules, can impose civil 
monetary penalties and criminal penalties for certain wrongful disclosures of protected 
information. Civil penalties can be imposed up to $25,000 per year and criminal penalties 
can range from $50,000 and one year in prison to $250,000 and 10 years in prison. 

These entities must inform individuals about how their health information is used and 
disclosed and ensure them access to their information. Written authorization from 
patients for the use and disclosure of health information for most purposes is also 
required with the exception of health care treatment, payment, and operations (and for 
certain national priority purposes). 

(See Kumekawa, Joanne K. (September 30, 2001) "Health Information Privacy 
Protection: Crisis or Common Sense?" Online Journal of Issues in Nursing. Vol. #6 No. 
#3, Manuscript 2. Available at http://www.nursingworld.org/oiin/topicl6/tpcl6 2.htm) 



Would education programs ever be subject to HI PAA? 

You may need to contact DHHS to inquire about the applicability of HIPAA to records 
on non-students. However, students’ medical records and education records under 
FERPA are not subject to HIPAA and should not be disclosed to DHHS under HIPAA. 

Educational institutions that provide health care services to individuals other than 
students or that provide health care coverage to their employees need to be familiar with 
and may be subject to HIPAA. Educational institutions that do not receive federal funds 
and maintain any student medical records may also be subject to HIPAA requirements. 

The procedures for the submission of electronic records and billing of medical 



information would be subject to HIPAA. For example, schools or Part C agencies that 
bill Medicaid for therapeutic services would need to comply with HIPAA for those 
procedures. 

The safeguards for the protection of privacy under both regulations are comparable and 
ensure confidentiality if staff members are trained and procedures are in place to maintain 
privacy and confidentiality. 

Where can I locate other resources? 

• Office of the Assistant Secretary for Planning and Evaluation Administrative 
Simplification in the Health Care Industry 
http://aspe.os.dhhs.gov/admnsimp/ 

• Office for Civil Rights — HIPAA 

o Medical Privacy — National Standards to Protect the Privacy of Personal 
Health Information 

http://www.DHHS.gov/ocr/hipaa/assist.html 
o Overview of information from the Office of Civil Rights 
http://www.DHHS.gov/ocr/hipaa/guidelines/overview.pdf 
o What’s new at the Office for Civil Rights - HIPAA 
http : //www. DHHS . go v/ocr/hipaa/what sne w . html 

• HIPAA Privacy Rule and Research Website (National Institute of Health) 
http://privacyruleandresearch.nih.gov/ 

• Final Modifications to the Privacy Rule published in the Federal Register 
www.DHHS.gov/ocr/hipaa/finalreg.html 

• FERPA Regulations 

http://www.ed.gov/policv/gen/guid/fpco/ferpa/index.html 

• FERPA on-line library with reference to HIPAA 

http : //www . ed . go v/polic y/gen/ guid/fpco/ferp a/library/index .html 
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